Up to 40,000 credit cards affected by OnePlus hack that happened two months ago

Smartphone maker OnePlus has confirmed that hackers scooped up as many as 40,000 credit card numbers, security codes and expiry dates from its online checkout.

The admission came a week after hundreds of users reported unauthorized transactions on cards that were recently used to make a purchase on the OnePlus website.

OnePlus last week suspended credit card payments on the site while it was investigating whether the fraud reports were linked to an issue with the site.

OnePlus says that attackers in mid-November compromised one of its servers and injected a malicious script into the payment page. The script intermittently sniffed and captured credit card details directly from the the browser as users entered payment information on the page.

Compromised details included credit card numbers, expiry dates and security codes. Customers who used a card on the site between mid-November 2017 and January 11 2018 may be affected. Though the breach occurred nearly two months ago, users only began reporting fraudulent card purchases last week.

OnePlus notes that anyone who used PayPal, credit card via PayPal, or a credit card that was saved to the site was not affected.

The company has sent an email notifying potentially affected customers and says it has quarantined the compromised server.

“We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future,” the company said.

The company has quickly built a loyal fanbase in Europe, North America and Asia by offering flagship smartphone features at a fraction of the cost of Samsung Galaxy S phones and the iPhone. OnePlus launched sales in Australia last August with its OnePlus 5, which started at $599 for a phone with 6GB memory and 64 GB storage.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.